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ABSTRACT: The implementation of NSTS 1700. 7B and more forceful scrutiny 
of data packages by the Johnson Space Flight Center (JSC) lead to the 
development of a classification policy for GAS/CAP payloads. The purpose 
of this policy is to classify experiments using the carrier system so 
that they receive an appropriate level of JSC review (i.e. one or multi- 
phase reviews). This policy is based on energy containment to show 
inherent payload safety. It impacts the approach to performing hazard 
analyses and the nature of the data package. This paper endeavors to 
explain the impact of this policy as well as the impact of recent JSC as 
well as Kennedy Space Flight Center (KSC) "interpretations" of existing 
requirements . 

The GAS canister does adequately contain most experiments when flown in 
the sealed configuration (however this must be shoyn, not merely 
stated) . This paper also includes data package preparation guidelines 
for those experiments that require an opening door which often present 
unique safety issues. 


INTRODUCTION 


The GAS carrier system was originally intended to fly inherently safe 
experiments in a sealed canister that provided an adequate level of 
containment. As additional carrier system features were acquired (e.g 
opening doors and ejection systems) and more dangerous experiments were 
accepted in the program the assumption of inherent safety became 
questionable. Moreover a new program, CAP (Complex Autonomous Payloads) 
was recently introduced. CAP payloads also use the GAS carrier system ' 
but are manifested as secondary Space Transportation System (STS) 
payloads whereas GAS payloads are tertiary payloads of flight 
opportunity. Although programmatically distinct the carrier system 
hardware is identical. The implementation of the CAP program, the 
acquisition of additional carrier system capabilities, and the 
visibility of increasingly dangerous experiments lead to a reassessment 
of the manner in which Safety Data Packages (SDPs) are processed at the 
Goddard Space Flight Center (GSFC) and JSC. The implementation of a new 
policy classifies payloads for inherent danger and directly relates to 
the logic of hazard analyses and the manner in which SDPs are prepared. 
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BACKGROUND 


GSFC had routinely processed GAS payloads in accordance with mutual 
agreements among the centers that were forged years ago at the inception 
of the GAS program. The purpose of these agreements or understandings 
was to simplify the processing of payloads and the development of all 
documentation related to flight approval. The nature of these agreements 
considered the inherent danger of the user's hardware /operations within 
the context of the standard carrier system which provides containment by 
the canister as a fundamental and incontrovertible hazard control. 
Unfortunately, these agreements were never formally documented and over 
the years as the experiments became more complex and the carrier system 
acquired additional features, the "ground rules" became more and more 
subject to interpretation. In the recent past these interpretations have 
differed significantly and the distinction between design guidelines 
versus design requirements has become muddled even though the original 
GAS concept (i.e inherent safety by containment) remains consistent for 
a majority of the payloads flown. 

The purpose of the classification scheme for payloads utilizing the GAS 
carrier system is to determine the appropriate level of JSC scrutiny in 
the phased safety review process based only upon the inherent danger 
posed to the Orbiter or its crew by the payload regardless of 
programmatic considerations. An overview of the carrier system, the 
initial safety review process, and the approach for classifying and 
reviewing GAS /CAP payloads is presented below. 

CARRIER SYSTEM OVERVIEW 

The basic GAS carrier system is comprised of either a 5 or 2.5 cu ft. 
canister that is mounted to either an adapter beam in the cargo bay or 
to the GAS bridge structure which straddles the cargo bay . Each beam can 
accommodate 2 canisters whereas the bridge can carry up to 12 GAS 
canisters. Additionally, each canister configuration can vary depending 
upon the needs of the experiment that is contained in the canister. 
However, the majority of GAS /CAP payloads utilize the most basic 
configuration which is the sealed canister with no intentional venting 
and an inerted (i.e. no oxidizers present) internal atmosphere at 1 atm. 
The bridge, adapter beams, associated mounting hardware, as well as the 
canisters and the canister components are reflown hardware that is 
systematically tracked and refurbished or replaced in accordance with 
procedures approved by JSC. 

The canister itself is made of two 0.625 in. thick aluminium end plates 
mounted to opposing ends of a 0.125 in. thick aluminium cylinder. The 
canister design has been verified by proof pressure testing to 115 psig. 
The basic canister configuration includes two pressure relief valves in 
the bottom endplate set at 30 and 45 psid. After the experiment is 
integrated into the canister and the endplates are mounted, the canister 
is leak checked and later backfilled with dry nitrogen prior to launch. 

The fundamental premise of the basic carrier system configuration is the 
control of hazards via containment. In the case of solids (e.g. failed 
structure) it has been shown by analysis that the canister will contain 
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any failed structure up to 200 lbs. (which is the weight constraint for 
GAS /CAP payloads) under all possible STS loading conditions. This 
analysis has been reviewed and approved by JSC. There are only 2 
constraints for payloads related to structures: the Center of Gravity 
(CG) envelope which is virtually impossible to violate, and the 
requirement that the payload’s fundamental frequency be greater than 35 
Hz. These requirements relate to the attachment points of the can to 
either a beam or the bridge and not directly to the hardware sealed 
inside the canister. 

The fact that the canister has been shown to contain failed experiment 
support structure does not obviate the need for a structural analysis of 
the experiment as such an incident would damage the GAS avionics and 
associated equipment. Furthermore, the analysis pertains only to 
unaccelerated debris and does not envelope dynamic situations (e.g. 
exploding pressure systems). 

As mentioned above the canister is leak tested, post-payload integration 
and prior to launch which, in GSFC’s view, confirms the asserted control 
of primary containment for fluids as long as the fluid is compatible 
with the canister and does not degrade the endplate or relief valve 
seals. Material usage in the canister is reviewed and approved by the 
GSFC Material Branch for the purpose of compatibility with the 
particular application. 

The GAS carrier system may also be configured to vent through the 
endplate on ascent via a filtered port or through a check valve (in the 
former the canister represssurizes upon reentry while in the latter it 
lands at vacuum) . Any portion of the canister or any sealed container 
within the canister may be vented to space through one of the purge 
ports. The canister may be equipped with a Standard Door Assembly (SDA) 
which can be opened on - orbit exposing the experiment to space . 
Additionally, an ejection system to launch small satellites has been 
developed and been approved by JSC as have the SDA. 

There are two other hardware options available to the GAS carrier user. 
Each canister may be equipped with a redundant battery vent system that 
is used to vent a sealed battery box outside of the canister through 
filtered pressure relief valves set at 15 psid. This option is highly 
recommended and frequently used as a control for the potential of 
accumulating gases from discharging batteries inside the canister. The 
other option is a baroswitch which can be used to turn the payload 
on/off at a predetermined altitude during ascent/descent . Ordinarily the 
payload is turned on/off by the crew via the APC (Autonomous Payload 
Controller) in the cabin. 

INITIAL GAS /CAP SAFETY REVIEW PROCESS 


By mutual agreement GSFC conducts what is analogous to the Phase 0,1, 
and II Safety Reviews. This process is often multi-iterative involving 
the user and GSFC personnel from the Special Payloads Division (code 
740) and the System Safety Branch (code 302). When necessary specialized 
experts are available and consulted for specific issues (e.g. 
electrical, thermal, mechanical). Each Payload Organization (PO) is 
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required to submit a materials list which is reviewed by the GSFC 
Materials Branch (Code 313) and a structural analysis which is reviewed 
by a Code 740 contractor. The PO is also required to submit a 
Preliminary , a Final, and a Phase III Safety Data Package in accordance 
with certain milestones in the payload processing timeline. GSFC acts 
essentially as a surrogate safety review panel for all but the ultimate 
Phase III SDP which is submitted to 
JSC ( 1 ) . 

The review critique by GSFC considers the configuration of the carrier 
system as well as that of the contained hardware. The original concept 
of GAS was safety via containment as described above in the overview. 

The majority of GAS payloads are in the truly sealed configuration; they 
do not vent and they do not have SDAs . This concept of containment seems 
to have been lost in recent times at both GSFC and JSC . The logic of 
requiring a fuse on two seriesed "AA" alkaline battery cells inside a 
sealed canister made of 0.125" thick aluminum with 0.625" endplates that 
has been proof tested to 115 psig is not apparent. 

There are some GAS payloads for which the containment argument is not 
true and the review logic is accordingly adjusted. For example, in a 
vented or MDA canister two "AA" cells could represent a viable ignition 
source which would need some kind of circuit protection or environmental 
isolation. The absence of the containment control gives rise to more 
potential hazards in terms of possibilities and magnitude. 

Until the classification scheme was adopted there was no systematic 
approach to evaluate the inherent risk that the payload poses within the 
context of the carrier system in its various configurations . 

CLASSIFICATION OF PAYLOADS USING THE GAS CARRIER SYSTEM 


The classification strategy is based upon the degree of containment 
offered by the carrier system which depends upon the characteristics of 
the user's payload as well as the configuration of the carrier system. 

Structures/Fluid Containment Properties 

A properly assembled GAS canister has been shown by analysis to be 
capable of containing fractured structure weighing up to 200 lbs. which 
is the maximum mass allowed by GSFC. The proper assembly of the canister 
at the launch site is assured by following standard assembly procedures 
performed by GSFC field operations personnel. 

Beyond the containment control for failed structure the structural 
integrity of the user's hardware is designed and verified to margins of 
safety in excess of those required for STS payloads. This is imposed by 
GSFC for although failed structure inside the canister would not pose a 
threat to the Orbiter it most likely would damage the carrier system 
hardware . 

In a truly sealed GAS canister primary fluid containment is also 
verified in the field by a leak test of the canister in accordance with 
the standard assembly procedures. 
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Energy Containment Properties 

The sealed GAS canister is capable of fully containing a limited amount 
of energy that may be released by the enclosed system. Additionally, it 
is also capable of releasing energy to the ambient environment in a 
controlled fashion via the pressure relief valves and by the passive 
thermal control system. The amount of stored energy used to operate the 
payload inside the canister is known and limited. For the most part, 
energy is in the form of potential energy that is chemically stored in 
the battery pack, however other devices such as pressure vessels are 
also to be considered in the analysis. 

The rate at which the contained payload can release this energy depends 
upon the characteristics of the possible processes that can transform 
the stored energy of the payload into other dissipative forms of energy 
(heat, kinetic, and rf energy). 

For example, all of the energy in the battery could be dissipated over a 
short period of time as heat via a dead short across its terminals 
resulting in a temperature rise of the battery. There is also the 
potential outgassing of combustibles from the battery. Some of the 
generated heat would cause an increase in the temperature and pressure 
in the canister but, this value can be calculated and compared to the 
canister pressure containment tolerance. 

In the above example a dead short of a battery was assumed for the 
purpose of illustrating the concept. Batteries are particularly 
important devices as they provide all of the power to run the payload. 

It is not the intent of this approach to compromise prudent battery 
design features such as fusing the primary battery pack to prevent dead 
shorts. However, the need for fusing very low energy batteries in 
innocuous applications (e.g. flash bulbs, clocks, and memory backup) in 
sealed and inerted canisters is questionable and is evaluated in the 
context of energy containment. 

Alternatively, the payload may contain a sealed fluid system or pressure 
vessel. If all of the battery energy is consumed by heating the fluid 
which overpressurizes the system then the energy may be released 
instantaneously depending upon the fracture mechanics of the fluid 
system. However, the amount of energy that can be released is known and 
limited. Again, if it can be shown that the instantaneous release of 
energy is the worst possible case and that the canister contains it or 
dissipates it in a controlled manner, we see no hazard to the Orbiter. 

The canister is equipped with one filtered relief valve set at 30 psi 
and an unfiltered relief valve set at 45 psi (the canister has been 
proof tested to 115 psi) that provide accelerated pressure relief. As 
long as it can be shown that the rate of the pressure increase is less 
than the venting capacity of the pressure relief system and that the 
vented fluid is not intrinsically hazardous or incompatible with the 
Orbiter bay environment in any phase of the mission, we see no hazard to 
the Orbiter. 
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With respect to RF energy release the truly sealed canister has been 
shown to exhibit 70 db attenuation. Nevertheless all payloads that have 
significant EMI sources are required to show compliance with the STS 
ICD . 

GSFC proposed that truly sealed GAS canisters in the most basic standard 
configuration as described above, and whose energy containment 
capabilities and materials compatibility are satisfactorily demonstrated 
be classified as class "B M (for benign) GAS /CAP payloads. The analysis 
of energy containment will be included in the SDP and will demonstrate 
containment in the worst case energy dissipation scenario possible and 
will evaluate the margin of the analysis. 

GSFC also proposed that SDA payloads with no batteries (essentially 
exposure experiments) be included in the class B category. The 
structures hazard report will include fracture control requirements 
compliance . 

GAS /CAP payloads that do not meet the criteria described above will be 
classified as n C" (for controlled) GAS /CAP payloads. These payloads will 
include ejectables and most of the other SDA canisters as well as some 
canisters that are not truly sealed (i.e. vent in part or in whole on 
ascent) . 

It must be recognized that the energy containment analysis is not a 
trivial exercise. It will involve an analysis of all energy storing 
devices (i.e. batteries, pressure vessels, chemical reactions, springs, 
flywheels, etc.) and the possible ways in which that energy can be 
transformed, possibly accumulated, and released. The intent of the 
modeling effort used to evaluate energy containment will initially be 
simplistic but may have to be refined to more accurately reflect the 
system if necessary. For example, assuming that all of the stored energy 
is consumed in an adiabatic process which raises the temperature (and 
pressure) of the nitrogen is a theoretical upper bound but in most 
instances it does not represent a process that is physically possible. 
However, if such a calculation confirms containment then there is no 
need for a more sophisticated model, otherwise the model will be 
refined. 

This may sometimes involve complex thermodynamic analyses including 
transient multi-media heat transfer problems as well as other processes 
that are characteristic of the system and its environment. 


SAFETY REVIEW PROCESSING 

GSFC and JSC have determined that class B payloads be processed in much 
the same manner as most GAS /CAP payloads were initially processed. The 
only submittal to JSC will be the Phase III data package which can be 
processed "off line" without the need for a formal "face-to-face" review 
with the panel, however GSFC will support a formal review if deemed 
necessary by JSC. In short, return to the original concept of GAS 
payloads being considered as benign ballast. 


290 


When containment, as defined above , cannot be shown analytically (Class 
C) or when the margin of safety is questionable GSFC will issue a Phase 
0/1 SDP submittal with an option for a formal "face-to face" review. The 
second and third submittals will be the Phase XI and III SDPs (or a 
combined Phase 2/3 if mutually agreed to) for which there will be a 
standard STS safety review. 

THE SAFETY DATA PACKAGE 

Much of this paper has been dedicated to defining the JSC/GSFC policy on 
safety reviews while foregoing any discussion as to its impact on the 
data package itself. Simply, the new policy is significant, yet minimal. 
All data packages should contain the information in a format as adeptly 
described by Gum. Compliance with JSC 13830B and NSTS 1700. 7B must be 
shown. The minimal impact is the required inclusion of the containment 
analysis, particularly energy containment, in the safety assessment 
section of the document . 

This analysis must show whether or not the payload is Class "B" for 
benign or "C" for controlled. In the former case it is acceptable to 
include information regarding system controls that limit certain 
experimental parameters (e.g. thermostats on heaters) within the 
descriptive narrative of the experiment. However, it should be 
emphasized throughout the document and especially in the safety 
assessment that such devices relate only to mission success and are not 
hazard controls. The class "B tt payload, by definition, assumes total 
loss of all controls with no safety consequences. This must be shown not 
just merely asserted. It is anticipated that such payloads will have a 
minimum of 2 hazard reports: one for structural failure and one for 
asserting energy containment as described above. In some cases it may be 
necessary to include others (e.g. secondary fluid containment or 
batteries ) . 

The SDP for the class n C” payload must show that hazard controls are 
either single or dual fault tolerant as appropriate pursuant to the 
criteria in NSTS 1700.7B. The proper approach in preparing a SDP is to 
perform a hazard analysis to determine if there are any hazards. If 
found, the level of control is defined by assessing the potential 
magnitude (i.e. Catastrophic or Critical) of the hazard. It is 
inappropriate and unacceptable to forgo the hazard analysis and 
arbitrarily include hazard controls in experimental designs. This 
applies to all "B" and "C" class payloads. 

Beyond the technical requirements and results of analyses /tests the SDP 
must be clear and concise. It must be appreciated that the JSC review is 
usually conducted off-line so that there is no real time dialogue among 
GSFC and JSC during the evaluation of the SDP. The SDP must accurately 
and unambiguously describe the experiment, how it works, what the 
hazards (if any) are and how they are controlled. 
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